Recently I acquired a (Suspects) 60GB Hitachi 2.5 hard drive removed from a Toshiba Satellite Tablet PC to a new Maxtor 200GB (Evidence) hard drive using EnCase Forensic Edition 6.3. The suspect hard drive was connected to the forensic unit via 2.5†HDD Adapter-IDE Cable-FastBloc2 LE.
After the acquisition and verification EnCase reported the acquisition completely verified with no errors. When I checked the Acquisition and Verify Hash they did not match. EnCase reported (0) = Read Errors, Missing Sectors, and CRC Errors. Not knowing what caused this I verified each of the (36) E01-E36 files with no errors reported.
I changed the IDE, Fire Wire, Power cables, and the 2.5 adapter. I installed EnCase Forensic Edition 6.4 on the forensic unit and re-acquired the Suspect drive again to the Evidence drive and received the same results as before but with totally different Acquisition and Verify Hash Values that did not match.
Switching the IDE cable around which was connected to the 2.5 adapter and FastBloc2 thinking that this may have caused the problem, I re-acquired the Suspect drive again to another new Maxtor 200GB (Evidence) hard drive. Same results as before but with totally different Acquisition and Verify Hash Values that did not match.
I switched the IDE cable back around and re-acquired again this time I obtained the same Acquisition and Verify Hash Values. Wanting make sure everything was ok I verified each of the 36 evidence files and there were no errors. I decided to acquire the suspect hard drive again to make sure the hash values matched and once again the hash values did not match.
I decided to acquire the suspect hard drive with EnCase Forensic Edition 4.22g, 5.05f and received the same results Acquisition and Verify hash values did not match. I’ve been told the suspect hard drive may be failing or I could be running into a hardware issue with my forensic unit. So I decided to install the FastBloc2 LE into an old Dell OptiPlex GX260. I wiped a new hard drive did a fresh install of Windows XP with all the current updates. Did a fresh install of EnCase Forensic Edition 6.5 and re-acquired the suspect hard drive to another new Maxtor evidence hard drive. EnCase reported the Acquisition and Verify hash values matched. I completed this process 3 additional times and all hash values matched.
Not having an explanation for what really caused the hash values to not match I pose the question to the list. I understand it could have been many things hardware, cable, failing hard drive. But because the hash values did not match does that affect the integrity of the actual data (evidence) that is on the hard drive? EnCase seals the evidence files after acquisition; however, how would one explain how the data (evidence) is good if the hash values don’t match during one acquisition but do for another.
This is not the first time I have seen where the Acquisition and Verify Hash didn’t match when using the original forensic unit (not the Dell OptiPlex). I have noticed four other case where the acquisition and verify hash values didn’t match. I will be in the process of re-acquiring those units but it doesn’t solve my issue of what caused this in the first place. I’ve done acquisitions before and after this issue that where “goodâ€
Any advice with this issue would be greatly appreciated and I apologize that this post is so long. I have been on the phone with Guidance and they have been helpful; however, I’ve been told this is more of a mythology question and they could not comment on it and suggested I post it.
Again thank you for the help!
Mythology question? Sounds pretty real to me. Kudos for your persistance and professionalism. If I follow what you said, it would sound to me that there's an issue with the orgional forensic work station; if I were in your shoes I'd put a different memory, then motherboard/CPU in the case to see if the issue is memory, mobo or something else (power supply?). It sound like you have pretty well isolated the cause. The acquisitions done on the orgional unit even after the main issue could have simply been "good luck" in getting the hashes to match. Sounds like something failing very intermittently.
As to root cause, that's pretty difficult to narrow down given that it only takes one bit to ruin your day.
I wish it was a false belief and should have read methodology but you knew what I was talking about. Thanks for the chuckle needed it. Your mention of different memory/motherboard is a great idea I appreciate your help!
I would not take this with a pinch of salt. We have had the same problems in the unit. There has been a lot work done on this. A dispute arose between interested parties, got a little serious. There is in existence a memo sent to the U.K CPS. by British researchers. It does not involve the power supply!! However, you are far better off imaging in version 3. I image with FTK. I will not comment further.
Thanks for the insight Rupert. We respect your need not to provide additional comments. Cheers.
Just as a insight when I was on ECase computer forensics 1, one of my classmates discovered this same probalem with the hashing and EnCase reporting that there were no errors alothough the hashes didn't match. We reported this to the trainer who couldn't explain it so he wrote a report and sent it off to the technical folk.
This error arose when we were modifying the evidence file, to show how sensitive EnCase is in detecting errors… If this happens in their ideal enviroment then I doubt, some what, that the original poster has this exact enviroment. It was also v6.4